SNRS

Configuring Cisco Secure ACS and AAA

Objective
In this exercise, you will install and configure a Cisco Secure Access Control Server (ACS) 4.1 on Windows 2000 to provide centralized authentication services to Cisco IOS devices. You will take a tour of the interface and features of Cisco Secure ACS, and configure the switch to offload all authentication tasks to the configured ACS server. You will install the ACS server to the lab server system, which is the only network end-system used in this exercise. You will also configure a Cisco Catalyst switch to use authentication, authorization, and accounting (AAA) services to authenticate network administrators and LAN users.

Figure 1: Lab visual objective

Configuring Cisco Secure ACS and AAA

2007, NIL Data Communications

Command List
Use the following commands to complete this exercise:
Command aaa authentication enable default method1 [method2...] aaa authentication login {default | listname} method1 [method2...] aaa new-model login authentication {default | list-name} tacacs-server host hostname [key string] username name [nopassword | password [encryption-type] password] aaa authentication dot1x default group radius aaa authorization network default group radius aaa accounting dot1x default start-stop group radius Description Determines if a user can access the privileged command level Enables AAA authentication at login Enables the AAA access control model Enables AAA authentication for logins Specifies a TACACS+ host Establishes a username-based authentication system at login Creates an IEEE 802.1x authentication method list Configures the switch for user RADIUS authorization for all network-related service requests, such as VLAN assignment Enables AAA accounting and creates method lists defining specific accounting methods on a per-line or per-interface basis for IEEE 802.1x sessions; sends a start accounting notice at the beginning of a process and a stop accounting notice at the end of a process Specifies the IP address of a RADIUS server host Specifies the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon Enables IEEE 802.1x authentication globally on the switch Enables manual control of the authorization state of the port, and causes the port to change to the authorized or unauthorized state based on the IEEE 802.1x authentication exchange between the switch and the client Sets various timeouts Enables periodic reauthentication of the client Specifies an active VLAN as an IEEE 802.1x guest VLAN Allow multiple hosts (clients) on an IEEE 802.1x-authorized port Specifies an active VLAN as an IEEE 802.1x restricted VLAN Shows details for an identity profile Displays major events in the 802.1x authentication process

radius-server host ip-address radius-server key key

dot1x system-auth-control dot1x port-control auto

dot1x timeout {tx-period | supp-timeout | ...} seconds dot1x reauthentication dot1x guest-vlan vlan-id dot1x host-mode multi-host dot1x auth-fail vlan vlan-id show dot1x [all | interface] debug dot1x events

Table 1: Configuration and monitoring commands used to configure AAA services

2007, NIL Data Communications

Configuring Cisco Secure ACS and AAA

Detailed Instructions
Follow the steps described in the tasks to complete the exercise.

Task 1: Install Cisco Secure ACS 4.1 for Windows

In this task, you will install the Cisco Secure ACS 4.1 software on your lab server.
Step 1

Using terminal services, log in to the AAA Server using the credentials listed in the User Credentials Information section. Open the Cisco Secure ACS Install folder on your desktop. Start the installation process by executing the Setup.exe file in the folder. Click OK if you are warned about memory requirements. The ACS will function normally on the lab platform. Click Accept to acknowledge the terms of the Cisco Secure ACS license agreement. Click Next in the Welcome window. Select all items listed in the Before You Begin window and click Next.

Step 2

Step 3

Step 4

Step 5 Step 6

Figure 1: Cisco Secure ACS prerequisites Step 7

Click Next to accept the default settings in the Choose Destination Location window.

Configuring Cisco Secure ACS and AAA

2007, NIL Data Communications

Figure 2: Cisco Secure ACS installation path Step 8

Select the Also check the Windows User Database radio box in the Authentication Database Configuration window. Select the Yes, refer to Grant dial-in permission to user setting check box in the Authentication Database Configuration window and click Next.

Step 9

Figure 3: Cisco Secure ACS database configuration

2007, NIL Data Communications Configuring Cisco Secure ACS and AAA 5

Step 10

Check all boxes within the Advanced Options window and click Next.

Figure 4: Cisco Secure ACS advanced options Step 11

Accept the default settings within the Active Service Monitoring window by clicking Next. Enter any password to protect the Cisco Secure ACS database and click Next. Finally, click Next to complete the installation and start the Cisco Secure ACS services and Cisco Secure ACS administrator.

Step 12 Step 13

Configuring Cisco Secure ACS and AAA

2007, NIL Data Communications

Figure 5: Finalizing Cisco Secure ACS installation Step 14

Click Finish to complete the installation.

Verification
Step 15

After Cisco Secure ACS has been installed, its user interface should start automatically. The installation also creates an ACS Admin icon on the desktop of the AAA Server. You may click on the icon to access the ACS administration and configuration interface. A web-based ACS interface will appear in the browser.

2007, NIL Data Communications

Configuring Cisco Secure ACS and AAA

Figure 6: Cisco Secure ACS user interface

If the Cisco Secure ACS user interface appears after installation, and contains the elements as seen in Figure 6, the installation of Cisco Secure ACS has been successful.

Task 2: Take a Tour of the Cisco Secure ACS User Interface

In this task, you will familiarize yourself with the features and user interface of Cisco Secure ACS software, and change some of the settings required to continue with the next task. You will determine various Cisco Secure ACS information items and document them.
Step 16

On the AAA Server, in the Cisco Secure ACS administration, scroll down to see the details about the software. Q1: What is the full release version and build number? _________________________________________________________________ _________________________________________________________________

Step 17

Examine the user setup functions by selecting User Setup in the left frame and clicking the List All Users button. Q2: How many users are configured? _________________________________________________________________ _________________________________________________________________

Configuring Cisco Secure ACS and AAA

2007, NIL Data Communications

Step 18

Examine the group setup functions by selecting Group Setup in the left frame. Q3: What group is shown in the Group scroll list? __________________________________________________________________ __________________________________________________________________

Step 19

Click on the Users in Group button. Q4: How many users are in the group? __________________________________________________________________ __________________________________________________________________

Step 20

Examine the system configuration functions by selecting System Configuration in the left frame and selecting Service Control. Q5: What is the status of the Cisco Secure service, level of detail for logging, and frequency of new file generation? __________________________________________________________________ __________________________________________________________________

Step 21

Click Cancel to return to the previous menu and select Logging. Q6: What log targets are enabled? __________________________________________________________________ __________________________________________________________________

Step 22

Click Cancel to return to the previous menu and select Local Password Management. Q7: What is the purpose of the password validation option? __________________________________________________________________ __________________________________________________________________

Step 23

Click Cancel to return to the previous menu and select Cisco Secure Database Replication. Q8: What is the purpose of the Cisco Secure Replication Setup? __________________________________________________________________ __________________________________________________________________

Step 24

Click Cancel to return to the previous menu and select ACS Backup. Q9: Where can the ACS user and group databases be backed up? __________________________________________________________________ __________________________________________________________________

Step 25

Click Cancel to return to the previous menu and select ACS Restore. Q10: What components can be backed up and restored? __________________________________________________________________ __________________________________________________________________

2007, NIL Data Communications

Configuring Cisco Secure ACS and AAA

Step 26

Click Cancel to return to the previous menu and select ACS Service Management. Q11: What are the two ways a system administrator can be notified of logged events? _________________________________________________________________ _________________________________________________________________

Step 27 Step 28

Click Cancel to return to the previous menu. Examine the user interface configuration functions by selecting Interface Configuration in the left frame and selecting User Data Configuration. Q12: Why are user-defined fields useful? _________________________________________________________________ _________________________________________________________________

Step 29

Click Cancel to return to the previous menu, select Advanced Options, and select all options. Q13: What is the purpose of selecting advanced options? _________________________________________________________________ _________________________________________________________________

Step 30 Step 31

Select Submit and return to the previous menu. Select Administration Control in the left frame. Q14: What administrator accounts are configured by default? _________________________________________________________________ _________________________________________________________________ Q15: What is the purpose of the administrator control configuration section? _________________________________________________________________ _________________________________________________________________

Step 32

Examine the external user database functions by selecting External User Databases in the left frame.
Note If you cannot see the Administration Control button in the left frame due the limited window size, use the Tab key to scroll between the buttons.

Step 33

Select Unknown User Policy. Q16: Which two options are available if a user is not found in the ACS database? Which of the two options is the default? _________________________________________________________________ _________________________________________________________________ Q17: Which external databases can be checked for the unknown user? _________________________________________________________________

10

Configuring Cisco Secure ACS and AAA

2007, NIL Data Communications

__________________________________________________________________
Step 34

Click Cancel to return to the previous menu, select Database Group Mappings, and view the help section. Click Cancel to return to the previous menu and select Database Configuration. Q18: What can you select in the External User Database Configuration section? __________________________________________________________________ __________________________________________________________________

Step 35

Step 36 Step 37

Click Cancel to return to the previous menu. Examine the reports and activity functions by selecting Reports and Activity in the left frame and selecting Administration Audit. Q19: What appears in the Administration Audit.csv file? __________________________________________________________________ __________________________________________________________________

Step 38 Step 39

Select Online Documentation in the left frame. (Optional) Take a moment to browse the new features, software requirements, and troubleshooting sections of the online documentation.

Task 3: Configure the Cisco Secure ACS Database for Authentication

In this task, you will configure the Cisco Secure ACS user database by adding a AAA client (switch) in the ACS database, adding a group, and adding a user to the group.
Step 40 Step 41

Select Network Configuration in the left frame. Click Add Entry in the Network Device Groups section, and configure a AAA client group named LAN Switches (leave all other fields blank). Click Submit to create the group. Click LAN Switches link and then Add Entry button to configure a AAA client using the following parameters:
Note

Step 42 Step 43

This TACACS-based entry will be used to authenticate network administrators.

AAA Client Hostname: Switch-TAC+ Client IP address: 10.1.2.1 Shared Secret: vErYrAnDoM Authenticate Using: TACACS+ (Cisco IOS)
In real-life, use a very random string of at least 16 characters for the TACACS+ authentication and encryption key.

Note

Step 44

Click Submit.
Configuring Cisco Secure ACS and AAA 11

2007, NIL Data Communications

Step 45

Click Add Entry again to configure another AAA client using the following parameters:
Note

This RADIUS-based entry will be used to authenticate network users.

AAA Client Hostname: Switch-RAD

A different hostname must be used although this RADIUS client is the same as the previous TACACS+ client.

Note

Client IP address: 10.1.2.1 Shared Secret: vErYrAnDoM Authenticate Using: RADIUS (Cisco IOS/PIX 6.0)

Step 46 Step 47 Step 48 Step 49

Click Submit + Apply. Select Interface Configuration in the left frame. Select TACACS+ (Cisco IOS). In the TACACS+ Services section, select Shell (exec) in both the User and Group columns. Scroll down and in the Advanced Configuration Options section of the same window, select all four options. Click Submit.
Note By adding at least one TACACS+ client the TACACS+ interface configuration option becomes available. By adding at least one RADIUS client the RADIUS interface configuration options become available.

Step 50

Step 51

Step 52 Step 53 Step 54

Create a new user group by clicking Group Setup in the left frame. Select Group 1 from the drop-down list. Rename the group to Administrators by clicking Rename Group, highlighting the existing name, typing in the new group name, and clicking Submit. Modify the password change policy for administrators by selecting Edit Settings and set the group settings as follows:

Step 55

In the Password Aging Rules section, configure the apply age-by-date rule for 30 days active, warning period of 4, and a grace period of 4. Leave all other sections at their default values. Click Submit + Restart.

Step 56 Step 57 Step 58

Rename Group 2 to Engineering. Rename Group 3 to Sales. Add a user admin, member of group administrators, to the Cisco Secure ACS database by clicking User Setup in the left-frame.
2007, NIL Data Communications

12

Configuring Cisco Secure ACS and AAA

Step 59 Step 60 Step 61 Step 62

Enter admin as the username. Enter admin as the password. Enter the password again to confirm it. Scroll to the Group selection drop-down menu and assign the user to the Administrators group. Scroll to the Account Disable section, select Disable account if, and select the Failed attempts exceed: 5 check box. Click Submit. Create another user using username alice with password alice. Make this user a member of the Engineering group. Create another user using username john with password john. Make this user a member of the Sales group.

Step 63

Step 64 Step 65

Step 66

Verification
Step 67

Click List All Users in the User Setup Select frame and verify that the users you just added are present and correctly configured. Q20: What is the main difference between the parameters in the user and group setups? __________________________________________________________________ __________________________________________________________________

Task 4: Configure the Switch to Authenticate Network Administrators against the Cisco Secure Database
In this task, you will configure the Switch in your lab to use the Cisco Secure ACS as the authentication server using the TACACS+ authentication proxy protocol.
Step 68 Step 69 Step 70

On the Switch, configure an enable secret ciscosecret. Enable the new model of AAA. Configure the location of the TACACS+ server using the following parameters:

TACACS+ server IP address: 10.1.2.2 TACACS+ encryption key: vErYrAnDoM

Step 71

Configure an emergency local administrator account with the username localadmin and password localadmin.
Note You will be able to use this username to log in if the TACACS+ server is down or misconfigured.

Step 72

Configure a named AAA authentication method list for login authentication, using TACACS+ (group tacacs+, which represents all configured TACACS+ servers) as the first, and the local database as the fallback means of authentication.
Configuring Cisco Secure ACS and AAA 13

2007, NIL Data Communications

Step 73

Apply the configured named authentication method list to the console and all vty lines. For added security, create a default login method, which only uses the enable secret (or enable password, if the enable secret is not configured) to authenticate users. This will serve as a blanket authentication requirement, if you forget to apply a specific named login method to a line.

Step 74

Verification
Step 75

From the AAA Server, telnet to the switch (10.1.2.1) by clicking on the icon Telnet to Router and log in using username admin with password admin. You should successfully log in.
C:\> telnet 10.1.2.1 Username: admin Password: admin Printout 1: Login to the Switch

Step 76

Enter the privilege mode using the enable password ciscosecret.

SNRSSwitch>enable Password: ciscosecret SNRSSwitch# Printout 2: Entering privilege mode on the Switch

Note

If you cannot login, recheck your work and debug the AAA process (debug aaa authentication) or the TACACS+ events (debug tacacs) to determine the reason of the failure. Also examine the Failed Attempts report under the Reports and Activity section of the Cisco Secure ACS user interface.

Task 5: Configure Separate Per-User Enable Passwords

In this task, you will configure centralized enable password management using the Cisco Secure ACS software. Currently, the switch only has a single enable password or secret, which is used by all administrators. It might be required, however, to limit the distribution of such secrets to a closed group of administrators, and give each administrator their own enable secret, making it easier to change it more often, and easier to revoke it if it becomes compromised. Cisco Secure ACS enables per-user enable passwords, where each user can have their own enable password, stored on the central AAA server. To enable this functionality, complete the following steps.
Step 77

In Cisco Secure ACS, edit the Administrators group. In the Enable Options section, select Max Privilege for Any AAA Client and set it to level 15. This will allow these users to access the privileged mode, when the per-user enable secret is stored on the AAA server. Click Submit + Restart to enable the settings. Edit the user admin. Scroll to the Advanced TACACS+ Settings. In the TACACS+ Enable Control section select Use Group Level Setting and in the TACACS+
2007, NIL Data Communications

Step 78 Step 79

14

Configuring Cisco Secure ACS and AAA

Enable Password section select the Use Separate Password check box. Enter a password of adminsecret.
Step 80 Step 81

Click Submit to enable the settings. On the Switch, configure a named AAA authentication method for enable authentication, using TACACS+ as the first, and the enable secret as the fallback means of authentication. The local enable secret will only be used if the TACACS+ server is unavailable.

Verification
Step 82

From the AAA Server, telnet to the switch (10.1.2.1) and log in using username admin with password admin. You should successfully log in.
C:\> telnet 10.1.2.1 Username: admin Password: admin Printout 3: Login to the Switch

Step 83

Enter the privilege mode using the password adminsecret. As this is your per-user enable password, the transition to the privilege mode should succeed.
SNRSSwitch> enable Password: adminsecret SNRSSwitch# Printout 4: Entering the privilege mode on the Switch

Note

If you cannot login or enter the enable mode, recheck your work and debug the AAA process (debug aaa authentication) or the TACACS+ events (debug tacacs) to determine the reason of the failure. Also examine the Failed Attempts report under the Reports and Activity section of the Cisco Secure ACS user interface.

Task 6: Configure 802.1x

In this task, you will configure a Switch to authenticate the Desktop via 802.1x, and offload authentication to the Cisco Secure ACS.
Step 84

Log into the Desktop by clicking its icon in the lab topology and authenticating using the credentials listed in the User Credentials Information section. Open Start > Network Connections, right-click on the LAB connection, select Properties, and then select the Authentication tab. Ensure that the Enable Network Access Control Using IEEE 802.1x check box is checked. Select MD5-Challenge as the EAP type. Uncheck the Authenticate as computer when computer information is available checkbox. Click OK.

Step 85

Step 86

Step 87 Step 88

Step 89

2007, NIL Data Communications

Configuring Cisco Secure ACS and AAA

15

Step 90

Connect to the Switch; if necessary, log in as admin with password admin and enable password adminsecret. Configure a RADIUS host using the same IP address and key as for the TACACS+ host configuration (IP address 10.1.2.2, key vErYrAnDoM). Create a named 802.1x authentication method list, which uses the default RADIUS group. Configure the Switch for user RADIUS authorization for all network-related service requests.
Note To allow VLAN assignment, you must enable AAA authorization to configure the switch for all network-related service requests.

Step 91

Step 92

Step 93

Step 94 Step 95

Enable IEEE 802.1x authentication globally. Determine the preconfigured VLANs by issuing the show vlan command. Your list of preconfigured VLANs should resemble the list in Table 1.
VLAN 10 20 30 40 50 60 Description Users VLAN used on ports connecting users before 802.1x Management VLAN hosting the Cisco Secure ACS Guest VLAN for users without the 802.1x supplicant or users failing to authenticate Engineering VLAN for users in the Engineering group Sales VLAN for users in the Sales group Unauthenticated VLAN for devices before 802.1x starts

Table 1: Preconfigured VLANs Step 96

Configure the FastEthernet 0/22 interface connecting to the Desktop for 802.1x authentication using the following characteristics:

Put the port into VLAN 60 (Unauthenticated VLAN) used for unauthenticated users Enable automatic 802.1x port authorization Enable periodic re-authentication Specify an active VLAN 30 (Guest VLAN) as an 802.1x guest VLAN (devices without an 802.1x supplicant) Specify an active VLAN 30 (Guest VLAN) also as an 802.1x failed VLAN (devices with an 802.1x supplicant but failing to authenticate) Specify a maximum of two allowed authentication attempts before a port moves to the Guest VLAN Set the timeout for supplicant reply to 3 seconds Set the timeout for supplicant retries to 3 seconds

Verification
Step 97
16

On the Switch, shutdown the FastEthernet 0/22 interface.

2007, NIL Data Communications

Configuring Cisco Secure ACS and AAA

interface FastEthernet0/22 shutdown Configuration 1: Shutting down the FastEthernet 0/22 interface on the Switch Step 98

On the Desktop, right-click on the LAB connection in the Network Connections window and select Disable.

Figure 2: Disable LAB port

Note

Because of the architecture of the remote lab it is necessary to use this approach as there are multiple switches between the Switch and the Desktop. A disconnected LAB port on the Desktop is not detected by the Switch, and a shutdown FastEthernet 0/22 interface on the Switch is not detected by the Desktop. We must, therefore, shutdown the FastEthernet 0/22 interface on the Switch and disable the LAB port on the Desktop to simulate a physical PC being connected to the Switch by performing almost simultaneous re-enabling of the two ports.

Step 99

On the Switch, enable 802.1x event debugging.

SNRSSwitch#debug dot1x events Configuration 2: Enabling the 802.1x event debugging on the Switch

Step 100

Enable the FastEthernet 0/22 interface on the Switch (this starts the 802.1x authentication process) quickly followed by enabling of the LAB port on the Desktop (this starts a new DHCP request) to simulate the physical connection of the PC to the switch.
interface FastEthernet0/22 no shutdown Configuration 3: Enabling the FastEthernet 0/22 interface on the Switch

2007, NIL Data Communications

Configuring Cisco Secure ACS and AAA

17

Note

Because there are multiple switches between the Desktop and the Switch it is not possible to test 802.1x authentication. We can, however, test the Guest VLAN functionality as the Desktop will appear to the Switch as a client without a supplicant.

SNRSSwitch(config-if)# 13:22:22: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:22: dot1x-ev:dot1x_mgr_if_state_change: FastEthernet0/22 has changed to UP 13:22:22: dot1x-ev:Sending create new context event to EAP for 0000.0000.0000 13:22:22: dot1x-ev:Created a client entry for the supplicant 0000.0000.0000 13:22:22: dot1x-ev:Created a default authenticator instance on FastEthernet0/22 13:22:22: dot1x-ev:dot1x_switch_enable_on_port: Enabling dot1x on interface FastEthernet0/22 SNRSSwitch(config-if)#13:22:22: dot1x-ev:dot1x_switch_enable_on_port: set dot1x ask handler on interface FastEthernet0/22 13:22:22: %LINK-3-UPDOWN: Interface FastEthernet0/22, changed state to up SNRSSwitch(config-if)# 13:22:23: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:23: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:23: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:26: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:26: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:26: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:29: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:29: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:29: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 SNRSSwitch(config-if)# 13:22:32: dot1x-ev:Received an EAP Timeout on FastEthernet0/22 for mac 0000.0000.0000 13:22:32: dot1x-ev:dot1x_guest_vlan_authc_fail: Authentication failure due to non responsive client on FastEthernet0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_authc_fail: Activating guest VLAN 30 on port 13:22:32: dot1x-ev:dot1x_switch_pm_port_set_vlan: Setting vlan 30 on interface FastEthernet0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:32: dot1x-ev:vlan 30 vp is added on the interface FastEthernet0/22 13:22:32: dot1x-ev:dot1x_switch_is_dot1x_forwarding_enabled: Forwarding is disabled on Fa0/22 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_guest_vlan_modify_host_mode: Guest VLAN feature overriding host_mode on port FastEthernet0/22, forcing to DOT1X_MULTI_HOST 13:22:32: dot1x-ev:dot1x_switch_port_authorized: set dot1x ask handler on interface FastEthernet0/22 13:22:32: dot1x-ev:Received successful Authz complete for 0000.0000.0000 13:22:32: dot1x-ev:FastEthernet0/22:Sending EAPOL packet to group PAE address 13:22:32: dot1x-ev:dot1x_mgr_pre_process_eapol_pak: Role determination not required on FastEthernet0/22. 13:22:32: dot1x-ev:dot1x_mgr_send_eapol: Sending out EAPOL packet on FastEthernet0/22 13:22:33: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/22, changed state to up SNRSSwitch(config-if)# Printout 5: 802.1x Debugging

18

Configuring Cisco Secure ACS and AAA

2007, NIL Data Communications

Step 101

On the Desktop, open a command prompt and verify the assignment of the IP address from the DHCP pool for the Guest VLAN 30 (the IP address should be from the 10.1.3.0/24 network).
Note If no IP address has been assigned yet, use the ipconfig /renew command to request an address via DHCP again.

C:\WINDOWS>ipconfig Windows IP Configuration Ethernet adapter MGMT: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . Ethernet adapter LAB: Connection-specific IP Address. . . . . Subnet Mask . . . . Default Gateway . . DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 10.1.3.6 : 255.255.255.0 : 10.1.3.1 DNS . . . . . . Suffix . . . . . . . . . . . . . . . . : : 192.168.250.11 : 255.255.255.0 :

Printout 6: Desktop received IP address from DHCP pool for Guest VLAN

Note

It may take some time for the Desktop to acquire the address as the 802.1x authentication process tries to communicate with the Desktop before giving up and assigning the Desktop to the Guest VLAN.

Step 102

On the Switch, view the 802.1x status of the FastEthernet 0/22 interface.
SNRSSwitch#show dot1x interface FastEthernet 0/22 details Dot1x Info for FastEthernet0/22 ----------------------------------PAE = AUTHENTICATOR PortControl = AUTO ControlDirection = Both HostMode = SINGLE_HOST ReAuthentication = Enabled QuietPeriod = 60 ServerTimeout = 30 SuppTimeout = 3 ReAuthPeriod = 3600 (Locally configured) ReAuthMax = 2 MaxReq = 2 TxPeriod = 3 RateLimitPeriod = 0 Auth-Fail-Vlan = 30 Auth-Fail-Max-attempts = 2 Guest-Vlan = 30 Dot1x Authenticator Client List Empty Port Status Authorized By Operational HostMode Vlan Policy = AUTHORIZED = Guest-Vlan = MULTI_HOST = 30

Printout 7: The 802.1x status of the FastEthernet0/22 interface on the Switch

2007, NIL Data Communications Configuring Cisco Secure ACS and AAA 19